stackoom
  简体   繁体   中英

Store MySQL password in bash-script

 原文  2013-12-09 13:24:26       mysql/ bash/ passwords

Question

Need to create simple mysql-backup script.

But - how can I store encrypted pass of MySQL user in it?

I want to avoid store password in plaintext type in any additional files.

As I found in MySQL manual:

MySQL encrypts passwords stored in the user table using its own algorithm

So. there is no way to just get hash and set it as variable?

I mean: 

DBHASH="cGFzc3dvcmQ="
DBPASS=`echo $DBHASH | openssl enc -base64 -d`

Is there any correct way to sovle it? Thanks for tips.

2 answers

solution1
 7 ACCPTED  2013-12-09 15:30:45

It doesn't matter if the script contains a plaintext password or not if it includes a repeatable routine for getting into MySQL (ie automatically decrypting) - an attacker would just do the same. If you could pass the hash/decrypted password and have MySQL compare it would be just as repeatable (and the hash would function as a password anyway).

So, the easy answer is: You can't do this. You have some options...

  • Set up a correctly chmoded (600) ~/.my.cnf with the credentials.
  • Create a 'restricted', password-less backup-account that is only allowed to log in from localhost.
  • Only allow backup logins from localhost/backup host in either case.
  • If you're on Debian you could use the debian-sys-maint account (which has a my.cnf already set up with credentials)
  • Restrict the mysql account and include the password in the script plain text, but only allow given user/root to read script (if you have root you can take over mysql anyway).
  • Read/'source' the config variables (username/password) from an external file (with correct chmod - 600)...but you're basically doing the my.cnf -thing by then.

Remember a "backup account" does not need write privileges etc...

solution2
 2  2013-12-09 13:51:48

afaict, there's no way to do what you're looking for. Whether you store the hash or the original password, you will anyway store very sensible information that might be evil used if someone gets read access to your script.

What you may prefer, is instead setup up an user account that can't login, and setup up mysql so that user has the exact permissions for your script. And also make it so that this user is the only one having exec access to the script.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Protect the password when using Mysql in an unattended bash-script Get newer MySQL Date in Bash-Script MySQL password input in bash script Mysql password warning in bash script Run sql-command from bash-script? How to set mysql password automatically in bash script? MySQL hashed column password+script bash skip mysql password in bash script when password is empty Can't properly set MySQL password from external bash script Save mysql password in a bash script and use it instead of cmd line
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM